'Encryption is useless'

NSA encryption cartoon

Once upon a time…

I touched on this story in my article, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, but i wanted to give it a dedicated page and expand on it because i keep coming across bits of information which seem to verify something i was told long ago regarding encryption.

So i once sold a PC to a guy who said he had worked for the government either directly or as a contractor, i don't recall which and he didn't state which department he worked for. He said he had a security clearance and, as i recall, it was a crypto clearance. He left me with the strong impression that he wasn't going to provide a lot of detail as to what exactly he did, however i had no reason to disbelieve anything he said since he seemed genuine and very matter-of-fact. Our time together was short because he had to be somewhere, but we chatted a while and he touched upon some very interesting topics that i wanted to know more about, and so i suggested we continue our conversation through encrypted email. He looked at me and responded with a three word reply that stuck with me ever since: "Encryption is useless.

Cray Trinity Supercomputer
Cray Trinity Supercomputer

Obviously encryption is not useless, but i think what he meant was that the "intelligence" community has the ability to break possibly whatever encryption exists. While i was somewhat skeptical about his statement back in 2003 or so, that skepticism has since evaporated. First of all we have to consider the computing power that the intelligence communities have access to. Let's assume that you're encrypting an email using some supposedly highly secure encryption algorithm along with a very long and secure passphrase, and let's further assume that it would take roughly 10,000 years for the average computer to break it. Would you feel confidant using such encryption? Well, what happens if that code breaking computer is 100,000 times more powerful than average? And what if you chain together 100 of those computers? Breaking that encryption may now be possible in a few hours or seconds. Does the NSA not have access to computers that are orders of magnitude more powerful than anything in the public sphere? And what might they have that we don't know about?

Whether encryption is useless or not also depends upon the threat that we want to mitigate. For example, if you wanted to download copyrighted content and protect yourself from having your ISP monitor your internet traffic and send you nasty-grams, then encryption is certainly not useless. However given what i have read and heard over the years, i strongly suspect that encryption is not effective if it is, for example, the NSA that decides to target you and i think that multiple statements and documents released by Edward Snowden and Bill Binney verify this. There is perhaps another possibility here though. What if, as some suspect, Snowden was allowed to leak what he did, sort of as a limited hangout? Personally i think Snowden is genuine, but that doesn't necessarily mean that the information in the documents he released wasn't intended to be released. What if the U.S. intelligence community wanted to quell a potential uprising by 'we the people'? It is apparently a historic fact that one way to accomplish this is to make people think they are being surveilled which, in turn, compromises their ability to communicate effectively due to self-censorship. While i think we can be reasonably certain that everything we say or do online, or while in the presence of a smartphone, can be spied upon and stored indefinitely, how does one process such a vast amount of data? Both Binney and Snowden also raise this question and have stated that the massive, ongoing and patently illegal and unconstitutional data collection practices as employed by intelligence communities are not effective in preventing threats because of the wide net they cast.

In closing i would say that it doesn't matter if the threat is real or not, or whether strong encryption can be broken or not. Since we simply cannot know for certain in all cases, we must assume the threats are creditable, however i do not wish to scare people unnecessarily. I think that activists, journalists, whistle-blowers and everyone else should never be dissuaded from communicating, though i do think we need to be aware of these threats.

Resources used to write this article

Leave a Reply